2

Is there any way for Apache to support SSHA passwords?

I have a couple of dozens of user passwords in an OpenLDAP server which are encrypted with SSHA (i.e. salted SHA1). No more users are to be added in the future, so I would like to move all credentials in a .htpasswd file for simplifying maintenance.

The problem is that Apache only supports unsalted (thus insecure) SHA1 passwords. Is there any mod to add support for SSHA passwords to Apache?

If a module specifically for this does not exist, could this functionality be achieved with mod-authnz-external and some external utility?

m000
  • 430
  • 1
  • 4
  • 11
  • Quick search showed this: https://github.com/DrGkill/htpasswd-ssha – dawud Jun 11 '13 at 18:38
  • This could help in conjuction with mod-authnz-external, but requires some development and testing to implement the password checking functionality. I may give it a go if I don't find any out-of-the-box solution. – m000 Jun 12 '13 at 11:45
  • Have you found a solution? –  Dec 09 '13 at 14:55
  • Unfortunatelly, I haven't. – m000 Dec 09 '13 at 23:59
  • It totally depends of your setup, but isn't mod_authz_ldap an option? – Mauricio López Mar 20 '14 at 14:12
  • and using mod_auth_ldap is not an option? – Olivier S Mar 26 '14 at 04:39
  • @OlivierS I am using mod_authz_ldap for most applications but there are a few where either offering matching LDAP accounts is out of my control or where contacting the ldap server is out of the question. Being able to fetch the existing SSHA password fields, put them in an .htaccess file, add a few more and bundle the result as a stand alone deployment of a site is the use case here. – Caleb Mar 26 '14 at 10:30
  • This is not very straightforward but why don't you import the ldap accounts you can not contact directly into a directory you can contact? – Olivier S Mar 26 '14 at 19:39
  • @OlivierS Mostly because LDAP is a pain in the butt and having to have a some sort of slave LDAP server on a variety of systems including embedded devices is way more work and introduces far more potential for breakage than having a .htaccess file in the DocumentRoot. – Caleb Mar 28 '14 at 11:17
  • Sorry but apart from patching and compiling yourself mod_authn_file.c I don't see clean solution. – Olivier S Mar 28 '14 at 20:20

0 Answers0